This chapter covers two of the most powerful open-source intelligence (OSINT) frameworks used in penetration testing: Maltego and Recon-ng. You will learn how these tools automate the discovery of relationships between domains, IP addresses, email addresses, social media profiles, and more. For the PT0-002 exam, questions on OSINT tools appear in approximately 10-15% of the exam, and understanding Maltego and Recon-ng is critical for Objective 2.1: Given a scenario, conduct passive reconnaissance. This chapter provides the depth needed to answer scenario-based questions about tool selection, module usage, and data interpretation.
Jump to a section
Think of Maltego as a professional crime scene analyst with a giant evidence board, pushpins, and colored strings. She starts with a single clue—a phone number, a name, or an email address. She pins that clue in the center of the board. Then she pulls from dozens of databases—public records, social media profiles, DNS records, and business registries—to find every connection that clue has. Each new piece of evidence becomes a new pin, and she draws strings between them: this phone number is linked to this address, which is linked to this company, which has this employee email. The board becomes a dense web of relationships. She can zoom in to see the details of one pin or zoom out to see the whole network. She can color-code pins (people in red, companies in blue, domains in green) and filter out noise. Her work is visual, interactive, and exploratory—she follows the connections wherever they lead, building a map of the target's digital footprint.
Recon-ng, on the other hand, is like a meticulous data analyst who prefers spreadsheets and scripts. He also starts with a single clue, but instead of a visual board, he uses a command-line interface and a set of modular tools. He runs a module that queries Shodan for open ports, another that scrapes LinkedIn for employee names, another that checks Have I Been Pwned for credential leaks. Each module outputs structured data—CSV files or database tables—that he can chain together. He writes a small script to automate the entire workflow: input a domain, run 10 modules, output a report. He doesn't see the connections visually; he sees them in rows and columns. But his strength is speed, repeatability, and depth. He can run the same reconnaissance on 100 domains overnight, while the crime scene analyst would take a week on one.
Together, they cover the spectrum of OSINT: Maltego for intuitive, relationship-driven discovery, and Recon-ng for automated, scalable data gathering. On the PT0-002 exam, you need to know when to use each tool and how they complement each other in a penetration test's reconnaissance phase.
Overview of Maltego
Maltego is a graphical link analysis tool developed by Paterva. It is designed for open-source intelligence gathering and forensics. Maltego works by using "transforms"—small pieces of code that query various data sources (e.g., DNS records, WHOIS databases, social media APIs) and return entities (e.g., domains, IP addresses, email addresses, people). These entities are displayed on a graph, with edges representing relationships. The tool is available in three editions: Maltego XL (unlimited transforms, for enterprise), Maltego Classic (limited transforms, for professionals), and Maltego CE (Community Edition, free but with reduced transform credits). For PT0-002, you need to know Maltego CE and its capabilities.
How Maltego Works Internally
When you drag an entity (e.g., a domain) onto the graph, you can right-click and select a transform. Maltego sends the entity value to a remote transform server (or a local transform if configured). The server queries the relevant data source and returns new entities. For example, the "To IP Address [DNS]" transform takes a domain and returns its resolved IP addresses. Each returned entity is added to the graph, and a directed edge is drawn from the original domain to the IP. You can then run transforms on the new entities, expanding the graph recursively. The graph is stored in a .mtgl file, which can be exported as an image or PDF.
Key Components of Maltego
Entities: The fundamental objects in Maltego. Types include Domain, IP Address, Email Address, Person, Phone Number, Company, etc. Each entity has properties like name, type, and weight.
Transforms: Code that fetches data. Some transforms are local (run on your machine), most are remote (run on Paterva's servers). Transforms are grouped by data source (e.g., DNS, Shodan, Have I Been Pwned).
Transform Hub: A marketplace where you can install additional transform packs (e.g., Shodan, VirusTotal). Some are free, some require API keys or payment.
Machines: Pre-built sequences of transforms that automate common tasks. For example, a "Footprint" machine might take a domain, resolve it to IPs, do a reverse IP lookup, find adjacent domains, and so on.
Graph View: The main workspace. You can zoom, pan, and apply layouts (e.g., radial, hierarchical) to organize entities.
Export: Graphs can be exported as images (PNG, SVG), PDF, CSV, or in Maltego's native format.
Configuration and Usage
Download and install Maltego CE from the Paterva website. You need a free account to use the Community Edition.
After installation, run Maltego and log in. The first run will prompt you to select a transform seed—this determines the initial set of transforms available.
To start an investigation, create a new graph (File > New). Drag an entity from the "Entity Palette" onto the graph. Common starting entities: Domain, Company, Person, Email Address.
Right-click the entity and select a transform. For example, with a domain, use "To IP Address [DNS]" or "To DNS Name [NSLookup]" or "To Website [Bing]" to find associated content.
Continue expanding by running transforms on new entities. Use the "Prune" feature to remove irrelevant nodes.
Save your graph regularly. Use the "Export" menu to create reports.
Overview of Recon-ng
Recon-ng is a full-featured web reconnaissance framework written in Python by Tim Tomes (lanmaster53). It provides a command-line interface similar to Metasploit, with modules for reconnaissance, discovery, and exploitation. Recon-ng is designed to automate the gathering of OSINT data through modular, repeatable workflows. It is free and open-source.
How Recon-ng Works Internally
Recon-ng uses a modular architecture. Each module is a Python script that performs a specific task, such as querying an API, scraping a website, or parsing a file. Modules are organized into categories: discovery, exploitation, import, recon, and reporting. The framework manages a workspace-specific SQLite database that stores all collected data (contacts, hosts, domains, etc.). Modules can read from and write to this database, allowing data to be shared between modules. For example, you can run a module that finds subdomains, which writes results to the hosts table, then run another module that resolves those hosts to IP addresses, and a third that geolocates the IPs.
Key Components of Recon-ng
Workspaces: Isolated environments for different projects. Each workspace has its own database and configuration. Use workspaces create <name> to start a new workspace.
Modules: Python scripts in the modules/ directory. They can be loaded with load <module_path>. Common modules include recon/domains-hosts/google_site_web (Google search for subdomains), recon/hosts-hosts/resolve (DNS resolution), and recon/contacts-contacts/mailtester (email verification).
Keys: API keys required for some modules. Use keys add <name> <value> to store them. Common keys: shodan_api, github_api, twitter_api.
Database: SQLite database per workspace. Tables include hosts, contacts, domains, companies, and credentials. You can query the database with db query.
Reporting: Modules like reporting/list generate CSV, HTML, or XML reports from the database.
Resource Scripts: Automate sequences of commands. Create a text file with Recon-ng commands and run it with resource <file>.
Configuration and Usage
Install Recon-ng: git clone https://github.com/lanmaster53/recon-ng.git then cd recon-ng and pip install -r requirements.txt. Alternatively, use apt install recon-ng on Kali Linux.
Start Recon-ng with recon-ng. The first time, it will create a default workspace.
Create a new workspace: workspaces create pentest1.
Add API keys if needed: keys add shodan_api YOUR_SHODAN_KEY.
Load a module: load recon/domains-hosts/google_site_web.
Set the source: set SOURCE example.com.
Run the module: run. Results are stored in the database.
Switch to another module: back, then load another, e.g., load recon/hosts-hosts/resolve.
Set the source to the hosts table: set SOURCE default (uses the current hosts table).
Run again. The resolved IPs are added to the hosts table.
Generate a report: load reporting/list, set FILENAME to /tmp/report.html, set FORMAT to html, and run.
Interaction Between Maltego and Recon-ng
Both tools can be used in the same penetration test. Typically, a tester might start with Recon-ng to automate bulk data collection (e.g., enumerate all subdomains, find email addresses, check for breaches). Then, the collected data can be imported into Maltego for visual analysis. Recon-ng can export data as CSV, which Maltego can import via the "Import" feature (File > Import > Import CSV). Alternatively, Maltego can query some of the same data sources directly, but Recon-ng is more efficient for large-scale automated collection.
Common Transforms and Modules for PT0-002
Maltego Transforms to Know: - To IP Address [DNS] – Resolves a domain to IPv4 and IPv6 addresses. - To DNS Name [NSLookup] – Performs a DNS lookup for common record types (A, AAAA, MX, NS, etc.). - To Website [Bing] – Searches Bing for pages related to the entity. - To Person [Social Networks] – Attempts to find social media profiles for a person. - To Email Address [TheHarvester] – Uses the Harvester to find email addresses associated with a domain. - To Company [Whois] – Performs a WHOIS lookup on a domain to find registrant info. - To Phone Number [WhitePages] – Looks up a phone number in WhitePages (US only).
Recon-ng Modules to Know:
- recon/domains-hosts/google_site_web – Uses Google dorking to find subdomains.
- recon/domains-hosts/brute_hosts – Brute-forces subdomains using a wordlist.
- recon/hosts-hosts/resolve – Resolves hostnames to IP addresses.
- recon/hosts-hosts/reverse_resolve – Performs reverse DNS lookup.
- recon/contacts-contacts/mailtester – Verifies email addresses using SMTP.
- recon/contacts-contacts/linkedin_contacts – Scrapes LinkedIn for employee names and titles.
- recon/companies-contacts/bing_linkedin_cache – Finds LinkedIn profiles via Bing cache.
- recon/domains-vulnerabilities/vulnerability_scan – Checks for known vulnerabilities using the Exploit Database.
- reporting/list – Exports data in various formats.
Automation and Scripting
Both tools support automation. In Maltego, you can use "Machines" to run a sequence of transforms automatically. In Recon-ng, you can write resource scripts. For example, a resource script to enumerate a domain:
workspaces create example_audit
load recon/domains-hosts/google_site_web
set SOURCE example.com
run
load recon/hosts-hosts/resolve
set SOURCE default
run
load reporting/list
set FILENAME /tmp/example_report.html
set FORMAT html
run
exitRun it with recon-ng -r script.rc.
Limitations and Considerations
Rate Limiting: Many APIs (Google, LinkedIn, Shodan) have rate limits. Aggressive scraping can get your IP blocked.
Data Freshness: OSINT data can be stale. Always verify critical findings.
Legal Boundaries: Passive reconnaissance is legal, but some transforms may interact with websites in ways that violate terms of service. Stick to public data.
Transform Credits: Maltego CE has a limited number of transform credits per day (typically 12-20). Plan your investigations.
API Keys: Many Recon-ng modules require API keys. Without them, those modules will fail.
Command Examples
Maltego CLI (using maltego-trx, a Python library): Not commonly used on PT0-002. The GUI is the primary interface.
Recon-ng command examples:
recon-ng
[recon-ng][default] > workspaces create acmecorp
[recon-ng][acmecorp] > load recon/domains-hosts/google_site_web
[recon-ng][acmecorp][google_site_web] > set SOURCE acme.com
[recon-ng][acmecorp][google_site_web] > run
[recon-ng][acmecorp][google_site_web] > back
[recon-ng][acmecorp] > load recon/hosts-hosts/resolve
[recon-ng][acmecorp][resolve] > set SOURCE default
[recon-ng][acmecorp][resolve] > run
[recon-ng][acmecorp][resolve] > back
[recon-ng][acmecorp] > db query "SELECT * FROM hosts"
[recon-ng][acmecorp] > load reporting/list
[recon-ng][acmecorp][list] > set FILENAME /tmp/acme_hosts.csv
[recon-ng][acmecorp][list] > set FORMAT csv
[recon-ng][acmecorp][list] > runInstall and Configure Maltego CE
Download Maltego CE from the official Paterva website (https://www.paterva.com/web7/downloads.php). Create a free account if you don't have one. Install the application. On first launch, you will be prompted to log in and select a transform seed. Choose the default seed for Community Edition. The application will then download the initial transform set. You may need to install additional transform packs from the Transform Hub (e.g., Shodan, VirusTotal) if you have API keys. For the PT0-002 exam, know that Maltego CE is the free version with limited transform credits (typically 12 per day). The credits reset daily. Without credits, transforms will fail.
Create a New Graph and Add Entities
In Maltego, create a new graph (File > New). The Entity Palette appears on the left. Drag a Domain entity onto the graph. Alternatively, you can right-click on the graph and select 'New Entity' > 'Domain'. Enter the domain name (e.g., example.com). The entity appears as a blue icon with the domain name. You can also start with an IP Address, Person, Email Address, or Phone Number. For the exam, remember that Maltego can start with any of these and expand outward. The graph is the central workspace; all relationships are displayed visually.
Run Transforms to Discover Relationships
Right-click on the domain entity. A context menu appears with available transforms. Select 'To IP Address [DNS]' (or similar). Maltego sends the domain to the transform server, which performs a DNS lookup. After a few seconds, new IP Address entities appear connected to the domain. You can continue running transforms on the IP addresses, such as 'To DNS Name [Reverse DNS]' or 'To Netblock [Whois]'. Each transform uses one credit (for remote transforms). The graph grows with each transform. Use the 'Prune' function to remove duplicate or irrelevant nodes. The exam expects you to know that transforms are the core mechanism for data enrichment.
Use Recon-ng to Automate Data Collection
Start Recon-ng from the command line. Create a new workspace: `workspaces create target_audit`. Load a recon module, e.g., `load recon/domains-hosts/google_site_web`. Set the source domain: `set SOURCE target.com`. Run the module: `run`. The module uses Google search to find subdomains and stores them in the hosts table. Then load the resolve module: `load recon/hosts-hosts/resolve`. Set the source to `default` (which uses the current hosts table) and run. The module resolves each hostname to an IP address and updates the hosts table with the IP. This automated sequence saves time compared to manual lookups. The exam tests your ability to choose the correct module for a given task.
Query the Database and Generate Reports
After running modules, data is stored in the SQLite database. Use `db query` to view tables. For example, `db query "SELECT * FROM hosts"` shows all discovered hosts. To export, load a reporting module: `load reporting/list`. Set the FILENAME and FORMAT (csv, html, xml). Run the module to generate a report. You can also use `db export` to dump tables. The exam may ask about the default database location (workspace-specific SQLite file) and how to export data for use in other tools like Maltego. Recon-ng's reporting modules are essential for delivering findings to clients.
Import Recon-ng Data into Maltego for Visualization
Export Recon-ng data as CSV using the reporting module. In Maltego, go to File > Import > Import CSV. Select the CSV file. Map columns to entity types (e.g., hostname -> Domain, IP -> IP Address). Maltego creates entities on the graph. You can then run additional transforms on these entities to find more connections. This combination leverages Recon-ng's automation and Maltego's visualization. The exam might present a scenario where you have a large dataset from Recon-ng and need to analyze relationships – importing into Maltego is the correct answer.
Scenario 1: Penetration Testing a Medium-Sized Company
A penetration tester is hired to assess the security of a company called "Acme Corp." The tester starts with only the domain acme.com. Using Recon-ng, the tester runs the google_site_web module to find subdomains like mail.acme.com, dev.acme.com, and vpn.acme.com. Then the brute_hosts module with a wordlist of common subdomains discovers additional hosts like jenkins.acme.com. The resolve module converts these to IP addresses. The tester then uses the linkedin_contacts module (with a valid LinkedIn API key) to find employee names and email addresses. All data is stored in the Recon-ng database. The tester exports the hosts to CSV and imports them into Maltego. In Maltego, the tester runs transforms on the IP addresses to find adjacent domains (e.g., acme-cloud.com) and on email addresses to find social media profiles. The visual graph reveals that the developer, John Doe, uses his work email for a personal GitHub account, which may leak credentials. The tester documents this as a finding. This scenario demonstrates the complementary use of both tools: Recon-ng for bulk collection, Maltego for relationship discovery.
Scenario 2: Red Team Engagement with Time Constraints
A red team has 48 hours to perform reconnaissance on a large organization with multiple subsidiaries. They use Recon-ng resource scripts to automate the entire process. They create a script that iterates through a list of 20 domains, runs subdomain enumeration, resolves IPs, performs reverse DNS, and checks for open ports using the Shodan module. The script runs overnight, collecting data into separate workspaces. The next day, the team imports the most promising targets into Maltego for visual analysis. They use Maltego's "Machines" feature to run a footprinting machine on each target domain, which automatically runs a series of transforms to map out the attack surface. The visual output helps the team identify critical assets like VPN endpoints and admin panels. Without Recon-ng's automation, they would not have covered all 20 domains in time. The exam might ask: "Which tool would you use to automate reconnaissance across multiple domains?" The answer is Recon-ng with resource scripts.
Scenario 3: OSINT Investigation for Social Engineering
A social engineering test requires gathering personal information on key employees. The tester uses Maltego starting with the company name. The "To Person [Social Networks]" transform finds LinkedIn profiles. The tester then runs "To Email Address [TheHarvester]" to find associated email addresses. In Recon-ng, the tester uses the mailtester module to verify which email addresses are valid. The tester also uses the whois_pocs module to find administrative contacts from WHOIS records. The combined data gives a detailed profile of each employee, including their role, email, phone number, and social media presence. This information is used to craft convincing phishing emails. The exam may test your knowledge of which transforms/modules are appropriate for gathering specific types of data (e.g., mailtester for email verification, linkedin_contacts for employee names).
Objective 2.1: Given a scenario, conduct passive reconnaissance – This objective specifically includes the use of Maltego and Recon-ng. The exam expects you to know the purpose, capabilities, and limitations of each tool. You must be able to select the appropriate tool for a given task.
Common Wrong Answers and Why Candidates Choose Them:
Choosing Nmap instead of Maltego for passive recon: Candidates often think Nmap is the go-to tool for network discovery. However, Nmap is an active scanning tool. The question will specify "passive reconnaissance" – Maltego and Recon-ng are passive (they query public databases) while Nmap sends packets. The correct answer is Maltego or Recon-ng.
Thinking Maltego only does DNS lookups: Maltego does much more than DNS; it can query social media, WHOIS, search engines, etc. Candidates who only know DNS transforms may underestimate Maltego's capabilities. The exam may ask which tool can find social media profiles – the answer is Maltego.
Confusing Recon-ng modules with Metasploit modules: Recon-ng's interface is similar to Metasploit, but its modules are for reconnaissance only, not exploitation. Candidates who are familiar with Metasploit might think Recon-ng can exploit vulnerabilities – it cannot. The exam will test this distinction.
Assuming all Recon-ng modules are free: Some modules require API keys (e.g., Shodan, LinkedIn). Candidates may think they can run any module without configuration. The exam may present a scenario where a module fails because no API key is set – the correct answer is to add the key.
Specific Numbers, Values, and Terms That Appear Verbatim on the Exam:
Maltego CE transform credit limit: 12 per day (some sources say 12-20, but 12 is the official number for Community Edition).
Recon-ng database: SQLite, stored in ~/.recon-ng/workspaces/<workspace_name>/data.db.
Resource script extension: .rc (e.g., recon-ng -r script.rc).
Common module path: recon/domains-hosts/google_site_web.
Maltego entity types: Domain, IP Address, Email Address, Person, Phone Number, Company.
Transform Hub: The marketplace for additional transforms.
Edge Cases and Exceptions:
Maltego transforms may fail if the API is down or rate-limited. The exam may ask what to do when a transform returns no results – the answer is to try a different transform or verify the entity value.
Recon-ng's `brute_hosts` module requires a wordlist. If no wordlist is specified, it uses a default small list. The exam may test that you need to set the wordlist path.
Some Recon-ng modules are marked as "aggressive" or "active" because they interact with the target (e.g., mailtester sends SMTP commands). The exam may ask which modules are truly passive – know that most recon modules are passive, but some like mailtester are borderline.
How to Eliminate Wrong Answers:
If the question asks for a tool to "visualize relationships," eliminate Recon-ng (CLI, no built-in graph) and choose Maltego.
If the question asks for "automated bulk data collection," eliminate Maltego (limited credits, manual) and choose Recon-ng.
If the question mentions "API keys," think of Recon-ng modules that require them.
If the question mentions "transforms," think of Maltego.
If the question mentions "workspaces," think of Recon-ng.
By focusing on these distinctions, you can confidently answer exam questions on Maltego and Recon-ng.
Maltego is a graphical OSINT tool that uses transforms to discover relationships between entities like domains, IPs, and people.
Recon-ng is a command-line reconnaissance framework with modular, automated data collection and a SQLite database.
Maltego CE has a daily limit of approximately 12 transform credits; Recon-ng has no such limit but may require API keys.
Common Recon-ng modules include google_site_web, brute_hosts, resolve, linkedin_contacts, and mailtester.
Both tools are used for passive reconnaissance; they do not send packets to the target (except some Recon-ng modules like mailtester which are borderline active).
Maltego is ideal for visualizing relationships; Recon-ng is ideal for automating data gathering across many targets.
Data from Recon-ng can be exported as CSV and imported into Maltego for visual analysis.
On the PT0-002 exam, distinguish between the two by whether the question emphasizes visualization (Maltego) or automation (Recon-ng).
These come up on the exam all the time. Here's how to tell them apart.
Maltego
Graphical user interface with visual link analysis
Limited transform credits per day (12 for CE)
Best for exploratory, relationship-driven investigations
Supports transform chaining via Machines
Can import CSV data from other tools
Recon-ng
Command-line interface with modular architecture
Unlimited module runs (subject to API rate limits)
Best for automated, bulk data collection across many targets
Supports resource scripts for automation
Exports data to CSV, HTML, XML for import into other tools
Mistake
Maltego is only for DNS and WHOIS lookups.
Correct
Maltego can query dozens of data sources including social media (Twitter, LinkedIn), search engines (Bing, Google), public records, and vulnerability databases (VirusTotal, Shodan). Its transforms are extensible via the Transform Hub.
Mistake
Recon-ng can exploit vulnerabilities like Metasploit.
Correct
Recon-ng is exclusively a reconnaissance framework. It does not contain any exploit modules. Its modules are for passive data gathering and reporting only. Exploitation is outside its scope.
Mistake
Maltego CE has unlimited transforms.
Correct
Maltego CE is limited to approximately 12 transform credits per day. Once exhausted, you must wait for the next day or upgrade to a paid version. This is a critical exam point.
Mistake
Recon-ng modules work without any configuration.
Correct
Many Recon-ng modules require API keys (e.g., Shodan, GitHub, LinkedIn). Without setting these keys using the `keys add` command, the modules will fail or return no results.
Mistake
Maltego and Recon-ng are interchangeable.
Correct
They complement each other but serve different purposes. Maltego excels at visual link analysis and exploratory investigation. Recon-ng excels at automated, scalable data collection. A penetration tester often uses both in sequence.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Maltego is a graphical link analysis tool that visualizes relationships between entities using transforms. Recon-ng is a command-line framework that automates data collection using modules. Maltego is better for exploratory, visual investigations; Recon-ng is better for automated, bulk reconnaissance. Both are passive OSINT tools used in penetration testing.
Maltego Community Edition allows approximately 12 transform credits per day. Each remote transform consumes one credit. After using all credits, you must wait until the next day or upgrade to a paid version. Local transforms do not consume credits.
Many Recon-ng modules require API keys to access third-party services like Shodan, GitHub, LinkedIn, and Have I Been Pwned. You can add keys using the `keys add` command. Without the required key, the module will fail or return no data.
Yes. Export data from Recon-ng as CSV using a reporting module like `reporting/list`. Then in Maltego, use File > Import > Import CSV to create entities from the CSV columns. This combines Recon-ng's automation with Maltego's visualization.
Most Recon-ng modules are passive because they query public APIs and databases without directly interacting with the target. However, some modules like `mailtester` send SMTP commands to verify email addresses, which could be considered active. For the exam, know that Recon-ng is primarily passive.
A Maltego Machine is a pre-configured sequence of transforms that runs automatically. For example, a 'Footprint' machine might take a domain, resolve it to IPs, do reverse DNS, find adjacent domains, and more. Machines save time by automating common investigative workflows.
Maltego graphs are saved as .mtgl files (File > Save). You can export graphs as images (PNG, SVG), PDF, or CSV (File > Export). Shared graphs can be opened by other Maltego users. The graph contains all entities and transforms applied.
You've just covered Maltego and Recon-ng Frameworks — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?